Ransomware Roundup 02.13.23

Written by
Halcyon Team
Published on
Feb 13, 2023

New ESXiArgs Ransomware Version Targeting VMware ESXi Users

There are reports of a second wave of ransomware attacks after the operators updated the malware to encrypt flat files in an effort to fix a bug in their encryption algorithm that allowed the development of recovery script. The script was released by CISA after the first wave of attacks, but it will be ineffective on servers infected with the latest version of the ESXiArgs variant.

Late last week, widespread automated ransomware attacks impacted thousands of vulnerable VMware ESXi servers using the novel ESXiArgs ransomware. The updated version of the ransomware is more disruptive to victim organizations because it is capable of encrypting more file types, making it more difficult to remediate.

This wave of ransomware attacks have been targeting VMware ESXi virtual machines that are still at risk from a two year old vulnerability for which a patch has been available for some time. Victim organizations who fall prey to attackers due to vulnerabilities that have published patches often come under criticism for not having applied them in a timely manner. But sometimes patching presents issues themselves.

“Patching systems like VMware can be highly complex for some organizations. In order to avoid breaking critical business systems, patches often need to be applied in the development and tested prior to production, said Jon Miller, CEO and Co-founder at ransomware prevention specialist Halcyon.

“Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied. Thus, there can be months+ of work to do before they can be protected, greatly contributing to the large number of vulnerable ESXi/VMs/servers.”

CISA (the Cybersecurity and Infrastructure Security Agency) released a script that was effective in remediating against the first version of the ESXiArgs ransomware, but the agency included an exclamatory “no warranty” warning along with it.

"CISA releasing a script with no guarantee applying it will solve the issue for impacted organizations to regain access and control of their VMWare servers is a statement,” Miller continued. “It is rare for CISA to release a tool like this, and shows the level of concern surrounding ransomware operators moving to target beyond traditional corporate endpoints."

Takeaway: recovery from a ransomware attack is exceedingly difficult, and even agencies charged with protecting organizations and offering guidance for defending and responding to these attacks are still struggling to deliver a consistent and effective strategy. With the cost of responding to a ransomware attack running well into the millions of dollars per event, preventing a ransomware attack from being successful in the first place is the only viable strategy.

New Cl0p Variant Targets Critical Linux System

The infamous Cl0p ransomware group released a new variant that targets critical Linux systems. While this first version of Cl0p for Linux was found to be riddled with bugs and easy to remediate, as we know from experience the developers are going to follow on with debugged versions that could wreak havoc on some very key systems and cause some major disruptions.

"The 'always on' nature of Linux systems provides a strategic beachhead for moving laterally throughout the network, so targeting Linux systems would allow the threat actors to brick the most sensitive parts of an organization's networks, which means the attackers can demand a higher ransom,” said Jon Miller, CEO and Co-founder at ransomware prevention specialist Halcyon.

“Cl0p is a dangerous ransomware family because it has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent further investigations in an emulated environment, such as sandboxing.

Typically ransomware attackers focus on the Windows OS since it has the most market share – they have ROI to think about  too when choosing where to put their development resources. While Linux has a tiny footprint in desktop computing, it runs ~80% of all web servers, the majority of smartphones, 100% of the top 500 supercomputers, and a large portion of embedded devices which hold the most sensitive data of all.

Linux is favored by large network applications and data centers that drive most of the U.S. government and military networks, financial institutions, and even the backbone of the internet. So, while there are comparatively few Linux targets, what targets there are potentially extremely lucrative for an attacker.

Takeaway: Ransomware operators continue to advance their skillsets, improve the efficacy of their infection vectors and payloads, and continue to heavily invest in recruiting and retaining new talent, growing and expanding their illicit business operations and capabilities at an astounding pace. Legacy antivirus, NGAV and EDR tools were simply not designed to address the unique threat that ransomware presents, and this is why we keep seeing destructive ransomware attacks circumvent these general application solutions – this issue will be compounded by the fact that security offerings for Linux systems are immature at best.

Five Guys Hit by BlackCat/ALPHV Ransomware

The BlackCat/ALPHV ransomware gang posted the popular burger chain Five Guys on its data leak site along with what was purported to be proof of sensitive data exfiltration as part of a Double Extortion scheme to incentivize payment of the ransom demand.

It is assessed that the threat actors may have accessed sensitive company data including banking information and payroll info, as well as recruiting data and other sensitive information. Attackers previously hit Five Guy‘ that exposed employee data and subsequently led to a lawsuit against the fast food chain stemming from financial fraud associated with the data lost in the attack.

Takeaway: The exfiltration of sensitive data means that even with a robust cyber resilience program and data backups to assist in recovery efforts, organizations face additional risk from the exposure of internal communications, trade secrets, R&D assets, intellectual property and more, and that risk can extend to other organizations as the valuable information is leveraged in other criminal acts.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started

halcyon.ai is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow halcyon.ai to store and process the personal information submitted above to provide you the content requested.